Directoryless public key cryptographic system and method

ABSTRACT

A method of operating an identity based directoryless key-code cryptographic communication system having two users A and B and a universal authority U, involving the generation of a public modulus M, being the product of two primes P and Q, and the operation of a publicly available secure one way hash function, #. User A presents his identity to U who uses #, M, P and Q to generate a decryption key, r, which is only made available to A. User B, who wishes to transmit a message to A, can encrypt data by using the #, M and A&#39;s identity. User A can recover the data by using r.

[0001] The present invention relates to asymmetric key-codecryptographic communications systems and methods and in particular toidentity based systems wherein the user's identity, for example hisemail address, is used to work out an encryption function.

[0002] Many applications, such as electronic banking and email systems,require the transfer of information between microprocessors overcommunications channels. In such applications it is preferable toencrypt information passing over the communications channel to preventunauthorised disclosure of the information.

[0003] Cryptographic functions may be implemented in a microprocessorcontrolled communications system by the use of either symmetrical orasymmetrical algorithms.

[0004] In an symmetrical algorithm system a user makes universallyavailable a single “public” key to anyone wishing to send the user amessage. The user retains a decryption key, the so-called “private” key,which is related in some way to the public key. A well-knownasymmetrical algorithm based communications system is the RSA algorithm(U.S. Pat. No. 4,405,829).

[0005] In public/private key encryption systems it is necessary to knowthe public key of the recipient of the message. In an online system, forexample a telephone system, recipients can send their public key as andwhen it is required to enable someone to send them encrypted messages.However, in an offline system, for example an email system, the need toknow the public key necessitates the holding of directories of publickeys.

[0006] In an identity based system (an asymmetrical system) it ispossible to avoid the need for a separate public key directory by makinga user's public key a function of his identity, for example his emailaddress.

[0007] The possibility of an identity based system was first proposed ina paper by A. Shamir (Identity-based cryptosystems and signatureschemes, Advances in Cryptology—CRYPTO '84, Lecture Notes in ComputerScience, vol. 196, Berlin: Springer Verlag, pp47-53, 1985). The paperdiscussed a cryptographic scheme which would enable a pair of users tocommunicate securely and also verify each other's signatures withoutexchanging public keys, without keeping key directories and withoutusing the services of a third party. The scheme assumed the existence ofa key generation centre who would generate a user's decryption key fromany combination of the user's name, address, telephone number etc.provided it uniquely identified the user in a way that could not bedenied. Shamir acknowledged, however, that his identity based schemecould not be implemented using the RSA scheme. Either it wascomputationally impossible for the key generation centre to calculatethe private key or users could determine supposedly hidden properties ofthe scheme from their own public and private keys.

[0008] An identity based non-interactive public key distribution systemwas also proposed by Maurer and Yacobi (U. Maurer and Y. Yacobi,Non-Interactive Public Key Crptography Advances inCryptology—Proceedings of Eurocrypt '91). The system proposed, however,required considerable computational effort on the part of the trustedkey generation authority.

[0009] A further key distribution system based on identificationinformation is described by Okamoto (E. Okamoto, Key DistributionSystems Based on Identification Information, Advances inCryptology—Proceedings of Crypto '87). Okamoto proposed two types ofsystem, the first for decentralised networks (where users communicatedirectly with one another) and the second for centralised networks(which require a network centre to function). This system was not trulydirectoryless, however, since the user's identity was used only as partof the key generation process and so a public directory was still neededfor offline communication between users.

[0010] It is the object of the present invention to provide a workabledirectoryless public key system.

[0011] The object of the present invention is achieved by consideringtwo users A and B and a universal authority U, involving the generationof a public modulus M; where in a first embodiment M is the product oftwo primes P and Q which are both congruent to 3 mod 4, and a publiclyavailable secure one-way hash function # is operated, characterised bythe following steps:

[0012] i) having U determine the public modulus M;

[0013] ii) having U apply the # to A's identity to produce a value amodulo M such that the Jacobi symbol $\left( \frac{a}{M} \right)$

[0014] is +1 and then to calculate the square root modulo M of a or −aand supply a resulting root, r, to A;

[0015] iii) having B compute a and transmit a bit of cryptovariable b toA encrypted as s=(t+a/t) mod M, where t is a random number modulo M suchthat the Jacobi symbol $\left( \frac{t}{M} \right) = b$

[0016] and b is coded as either +1 or −1;

[0017] iv) having user B retransmit the bit of cryptovariable b to Aencrypted as$s^{\prime} = \left( {t^{\prime} - \frac{a}{t^{\prime}}} \right)$

[0018] mod M, where t′ is a different random number modulo M to t suchthat${\left( \frac{t^{\prime}}{M} \right) = {\left( \frac{t}{M} \right) = b}};$

[0019] v) having user A recover cryptovariable bit b by computing$b = {{\left( \frac{s + {2r}}{M} \right)\quad {or}\quad b} = {\left( \frac{s^{\prime} + {2r}}{M} \right).}}$

[0020] A second embodiment of the invention details a similardirectoryless key-code cryptographic communication system also employingthe publicly available # and where one or both of the primes P and Q arecongruent to 1 mod 4. In this case the invention is characterised by thefollowing steps:

[0021] i) having U determine the public modulus M;

[0022] ii) having U find and publish an integer x such that x is not asquare modulo P nor Q;

[0023] iii) having U apply the # to A's identity to produce a value amodulo M such that the Jacobi symbol $\left( \frac{a}{M} \right)$

[0024] is +1 and then to calculate the square root modulo M of a or xaand supply a resulting root, r, to A;

[0025] iv) having B compute a and transmit a bit of cryptovariable b toA encrypted as s=(t+a/t) mod M, where t is a random number modulo M suchthat the Jacobi symbol $\left( \frac{t}{M} \right) = b$

[0026] and b is coded as either +1 or −1;

[0027] v) having B retransmit the bit of cryptovariable b to A encryptedas$s^{\prime} = \left( {t^{\prime} + \frac{x\quad a}{t^{\prime}}} \right)$

[0028] mod M, where t′ is a different random number modulo M to t suchthe${\left( \frac{t^{\prime}}{M} \right) = {\left( \frac{t}{M} \right) = b}};$

[0029] vi) having A recover cryptovariable bit b by computing$b = {{\left( \frac{s + {2r}}{M} \right)\quad {or}\quad b} = {\left( \frac{s^{\prime} + {2r}}{M} \right).}}$

[0030] A third embodiment of the invention describes how the system canbe worked without the need for the re-transmission of data described inprevious embodiments. This uses M, the product of any two non-evenprimes, and also uses the # function and is characterised by thefollowing steps:

[0031] i) having U determine the public Modulus M;

[0032] ii) having U apply the # to A's identity to produce a value aModulo M such that the Jacobi symbol $\left( \frac{a}{M} \right)$

[0033] is +1 and then to calculate the square root modulo M of a, −a orxa where x, which is an additional publicly available system parameter,is an integer which is neither square modulo P nor Q, and to supply aresulting root, r, to A;

[0034] iii) having U publish whether A has received a root of +a, −a orxa;

[0035] iv) having B compute a and:

[0036] (I) if A has received a root of +a: transmit a bit ofcryptovariable b to A encrypted as s=(t+a/t)mod M, where t is a randomnumber modulo M such that the Jacobi symbol$\left( \frac{t}{M} \right) = b$

[0037] and b is coded as either +1 or −1;

[0038] II) if A has received a root of −a: transmit a bit cryptovariableb to A encrypted as s′=(t−a/t)mod M, where t is a random number modulo Msuch that the Jacobi symbol $\left( \frac{t}{M} \right) = b$

[0039] and b is coded as either +1 or −1;

[0040] (III) if A has received a root of xa: transmit a bitcryptovariable b to A encrypted as${s^{''} = {\left( {t + \frac{xa}{t}} \right)\quad {mod}\quad M}},$

[0041] where t is a random number modulo M such that the Jacobi symbol$\left( \frac{t}{M} \right) = b$

[0042] and b is coded as either +1 or −1;

[0043] v) having A recover cryptovariable bit b by computing$\begin{matrix}{b = \left( \frac{s + {2r}}{M} \right)} & (I) \\{b = \left( \frac{s^{\prime} + {2r}}{M} \right)} & ({II}) \\{b = {\left( \frac{s^{''} + {2r}}{M} \right).}} & ({III})\end{matrix}$

[0044] In the above embodiments the users' identities may be based upontheir email addresses, optionally together with the current date.

[0045] In a further useful variant of the present invention, theresponsibility for generating the public modulus M is split between twoor more universal authorities. Such a split key cryptographic system isdescribed in GB Patent Application 9715761.4 (filed 28^(th) Jul. 1997)and in Split Knowledge Generation of RSA Parameters by C Cocks (FromProceedings of 6^(th) IMA Conference on Cryptography and Coding,Cirencester, December 1997, Published by Springer Verlag, Lecture Notesin Computer Science vol.1355). This variant has the advantage of addedsecurity since no-one authority holds all the information necessary tointercept and de-code messages.

[0046] Methods of working the invention may be effected by usingmicroprocessors.

[0047] In a particularly advantageous arrangement of the invention,providing the opportunity to reduce bandwidth without compromisingsecurity of the system, only a message header section which precedes themain message is encrypted in accordance with a method as described abovewhile the main message is encrypted by means of a standard technique.The message header is then used to detail which of a number of standardencryption techniques is to be used in the main message. This willresult in the overall encrytion system being computationally lessexpensive than one encrypting the whole message.

[0048] Examples according to the present invention will now be describedwith reference to the accompanying figures, in which:

[0049]FIG. 1 is a functional representation of the registration process.

[0050]FIG. 2 is a functional representation of the encryptiontransmission and decryption process

EXAMPLE 1

[0051] (I) (FIG. 1) To begin a universal authority U generates auniversally available public modulus M which is the product of twoprimes P and Q, which are known by U only, where P and Q are bothcongruent to 3 mod 4. P and Q are chosen to be very large to make itcomputationally unfeasible to factorise M. A first user A then presentshis identity to U and a publicly known secure one-way hash function(hereinafter referred to as the “hash function”) is applied to A'sidentity to produce a value a modulo M such that the Jacobi symbol$\left( \frac{a}{M} \right)$

[0052] is +1′. The process essentially involves the multiple applicationof the hash function in a structured way to produce a set of candidatevalues for a, stopping when $\left( \frac{a}{M} \right) = {+ 1.}$

[0053] The correct operation of the hash function on a recipient'sidentity will be evident from the hash function itself and can bereplicated by anyone holding the universal parameters and A's identity.U can calculate the square root modulo M since he knows P and Q, and hepresents one of the four possible roots, r, to A. It should be noted tatit is essential that only one of the roots r is ever released to ensurethat the integrity of the system is not compromised. This root r willlater enable A to decrypt any encrypted messages he receives. One wayfor U to determine this root is to calculate$r = {a^{\frac{M + 5 - {({P + Q})}}{8}}{mod}\quad M}$

[0054] Such an r will exist as${\left( \frac{a}{M} \right) = {+ 1}},{\left( \frac{a}{p} \right) = \left( \frac{a}{Q} \right)}$

[0055] (see footnote¹), and so either a is a square modulo both P and Q,and hence is a square modulo A, or else −a is a square modulo P, Q andhence M. The latter case arises because by construction P and Q are bothcongruent to 3 mod 4 and so$\left( \frac{- 1}{P} \right) = {\left( \frac{- 1}{Q} \right) = {- 1.}}$

[0056] Thus either a or −a will be square modulo P and Q.$\left( \frac{x}{M} \right)$

[0057] is the product of the two square modulo symbols$\left( \frac{x}{P} \right)$

[0058] and $\left( \frac{x}{Q} \right)$

[0059] (where M=PQ). Thus it is either +1 if either x is a square moduloboth P and Q or is a non square modul both P and Q. A useful feature ofthe Jacobi symbol is that it can be calculated without knowledge of thefactorisation of M (see, for example, H. Cohen A Course in ComputationAlgebraic Number Theory Springer Verlag graduate texts in mathematics138, 1993).

[0060] II) (FIG. 2) A second user B who wishes to send encrypted data touser A first must know the hash function, the public modulus M and theidentity of A. B then computes a and encrypts a bit of data b to A ass=(t+a/t)mod M, where t is a random number modulo M such that$\left( \frac{t}{M} \right) = b$

[0061] and b is coded as either +1 or −1. User B then transmits s touser A. If user B does not know if A has a root of +a or −a then he willneed to replicate the above transmission of the encrypted bit b bychoosing a different random number modulo M, t′, where$\left( \frac{t^{\prime}}{M} \right) = {\left( \frac{t}{M} \right) = b}$

[0062] and then transmitting$s^{\prime} = {\left( {t^{\prime} - \frac{a}{t^{\prime}}} \right){mod}\quad M}$

[0063] in an identical fashion to A. It should be noted that user Bcannot use the same value of t to transmit$s^{\prime} = {\left( {t - \frac{a}{t}} \right){mod}\quad M}$

[0064] since it would be possible for someone to decrypt an interceptedmessage by calculating s+s′=2t and therefore b. When used practically, amessage sent by the user B will comprise a message header followed bythe subject of the message. The header will be encrypted using the abovetechnique and will contain instructions as to how to decode the subjectof the message which will be encrypted using a standard encryptiontechnique. The main issue regarding practicality is the bandwidthrequirement, as each bit of the message header cryptovariable requires anumber of size up to M to be sent. For a 120 bit cryptovariable andusing a 1024 bit modulus M, B will need to send 15 Kbytes of keyingmaterial. If B does not know whether A has received the square root of aor of −a then he will have to double this. Nevertheless for offlineemail use this may be an acceptable overhead.

[0065] III) A then needs to recover the bit b. Sinces+2r=t(1+r/t)*(1+r/t) mod M it follows that the Jacobi symbol$\left( \frac{s + {2r}}{M} \right) = {\left( \frac{t}{M} \right) = {b\quad {\text{(see~~}{footnote}^{\quad 2}\text{).}}}}$

[0066] As A knows the value of r he can calculate the Jacobi symbol$\left( \frac{s + {2r}}{M} \right)$

[0067] and hence recover b. If A $\begin{matrix}{{2\text{:}\quad {t\left( {1 + \frac{r}{t}} \right)}*\left( {1 + \frac{r}{t}} \right)} = {t + \frac{r^{2}}{t} + {2r}}} & {{{{but}\quad r\quad {is}\quad a\quad {root}\quad {of}\quad a},{{{so}\quad r^{2}} = a}}} \\{\therefore\quad {= {t + \frac{a}{t} + {2r}}}} & {{{{since}\quad s} = \left( {t + {a/t}} \right)}} \\{= {s + {2r}}} & \end{matrix}$

[0068] Now,$\left( \frac{s + {2r}}{M} \right) = {\left( \frac{t}{M} \right)\left( \frac{1 + \frac{r}{t}}{M} \right)\left( \frac{1 + \frac{r}{t}}{M} \right)}$

[0069] and since the Jacobi Symbol is either +1 or −1, then$\left( \frac{s + {2r}}{M} \right) = {\left( \frac{t}{M} \right).}$

[0070] Le. User A can recover the value $f\left( \frac{t}{M} \right)$

[0071] and therefore the bit b without knowledg ft. holds the root of −aas opposed to +a then A will need to calculate$\left( \frac{s^{\prime} + {2r}}{M} \right) = \left( \frac{t^{\prime}}{M} \right)$

[0072] in order to recover b.

EXAMPLE 2

[0073] The universal authority U generates a universally availablepublic modulus M which is again the product of two primes P and Q, whichare known by U only. However, P and Q are not chosen to be bothcongruent to 3 mod 4. In this case either one of P or Q will be chosento be congruent to 3 nod 4 and the other congruent to 1 mod 4 or both Pand Q will be chosen to be congruent to 1 mod 4. The example describedabove will be valid with the following modifications:

[0074] 1) The universal authority U will need to find an integer x suchthat x is not a square modulo P and Q. Integer x will need to bepublished along with M and the hash function.

[0075] 2) Using the secure one-way hash function as before U thencalculates a value a modulo M such that the Jacobi symbol${\left( \frac{a}{M} \right)\quad \text{is}}\quad + 1.$

[0076] User A will receive a square root of either a or xa and such aroot can be calculated by a standard technique as described in Cohen.This step corresponds to receiving a square root of a or −a in the casewhen P and Q are congruent to 3 mod 4.

[0077] 3) Now when B sends data to A, for each bit b that he wishes tosend, he chooses values t and t′ for which the Jacobi symbols (t/M) and(t′/M) are +1 or −1 depending on the bit b to be sent. He then sendss=(t+a/t)mod M to A and also s′=(t′+xa/t′)mod M to A.

[0078] 4) A then recovers the bit b as in example 1, i.e. if he has thesquare root of a then he recovers b by working out$\left( \frac{s + {2r}}{M} \right)$

[0079] and if he has the square root of xa then he recovers b by workingout $\left( \frac{s^{\prime} + {2r}}{M} \right).$

EXAMPLE 3

[0080] The universal authority U generates a universally availablepublic modulus M which is again the product of two non- even primes Pand Q, which are known by U only.

[0081] The universal authority U will need to find an integer x suchthat x is not a square modulo P and Q. Integer x will need to bepublished along with M and the hash function.

[0082] Using the secure one-way hash functions as before U thencalculates a value a modulo M such that the Jacobi symbol$\left( \frac{a}{M} \right)$

[0083] is +1. User A will receive a square root of either a or xa andsuch a root can be calculated by a standard technique as described inCohen.

[0084] U publishes whether A has received a root of +a, −a or xa;

[0085] B computes a and:

[0086] (I) if A has received a root of +a: transmits a bitcryptovariable b to A encrypted as s=(t+a/t)mod M, where t is a randomnumber modulo M such at the Jacobi symbol$\left( \frac{t}{M} \right) = b$

[0087] and b is coded as either +1 or −1;

[0088] (II) if A has received a root of −a: transmits a bitcryptovariable b to A encrypted as s′=(t−a/t)mod M, where t is a randomnumber modulo M such that the Jacobi symbol$\left( \frac{t}{M} \right) = b$

[0089] and b is coded as either +1 or −1;

[0090] (III) if A has received a root of xa: transmits a bitcryptovariable b to A encrypted as${s^{''} = {\left( {t + \frac{xa}{t}} \right)\quad {mod}\quad M}},$

[0091] where t is a random number modulo M such that the Jacobi symbol$\left( \frac{t}{M} \right) = b$

[0092] and b is coded as either +1 or −1;

[0093] A then recovers the bit b as in example 1, i.e. if he has thesquare root of a then he recovers b by working out$\left( \frac{s + {2r}}{M} \right)$

[0094] and if he has the square root of −a then he recovers b by workingout $\left( \frac{s^{\prime} + {2r}}{M} \right)$

[0095] and if he has the square root of xa then he recovers b by workingout $\left( \frac{s^{''} + {2r}}{M} \right).$

[0096] Conveniently, the identity of each user will be his publiclyknown email address and for additional encryption security the currentdate can be added. As will be apparent to those in the art, furthersecurity can be provided to the system by splitting the responsibilityfor generation of the public modulus among several universalauthorities.

[0097] In a particularly advantageous arrangement, aimed to reduce theoverall bandwidth of messages without compromising their security, thesecure encryption of the present invention may be applied only tomessage headers accompanying messages encrypted in accordance with aknown standard encryption. The key to decrypting the message would thenbe provided within the message headers.

1. A method of operating an identity based directoryless key-code cryptographic communication system comprising two users A and B and a universal authority U, involving the generation of a public modulus M, being the product of two primes P and Q which are both congruent to 3 mod 4, and the operation of a publicly available secure one-way hash function #, comprising the following steps: i) having U determine the public modulus M; ii) having U apply the # A's identity to produce a value a modulo M such that the Jacobi symbol ${\left( \frac{a}{M} \right)\quad {is}} + 1$

and then to calculate the square root modulo M of a or −a and supply a resulting root, r, to A; iii) having B compute a and transmit a bit of cryptovariable b to A encrypted as s=(t+a/t)mod M, where t is a random number modulo M such that the Jacobi symbol $\left( \frac{t}{M} \right) = b$

and b is coded as either +1 or −1; iv) having B retransmit the bit of cryptovariable b to A encrypted as ${s^{\prime} = {\left( {t^{\prime} - \frac{a}{t^{\prime}}} \right)\quad {mod}\quad M}},$

where t′ is a different random number modulo M to t such that ${\left( \frac{t^{\prime}}{M} \right) = {\left( \frac{t}{M} \right) = b}};$

v) having user A recover cryptovariable bit b by computing $b = {{\left( \frac{s + {2r}}{M} \right)\quad {or}\quad b} = {\left( \frac{s^{\prime} + {2r}}{M} \right).}}$


2. A method of operating an identity based directoryless key-code cryptographic communication system comprising two users A and B and a universal authority U, involving the generation of a public modulus M, being the product of two primes P and Q of which one or both are congruent to 1 mod 4, and the operation of a publicly available secure one-way hash function #, comprising the following steps: i) having U determine the public modulus M; ii) having U find and publish an integer x such that x is not a square modulo P nor Q; iii) having U apply the # to A's identity to produce a value a modulo M such that the Jacobi symbol $\left( \frac{a}{M} \right)$

is +1 and then to calculate the square root modulo M of a or xa and supply a resulting root, r, to A; iv) having B compute a and transmit a bit of cryptovariable b to A encrypted as s=(t+a/t)mod M, where t is a random number modulo M such that the Jacobi symbol $\left( \frac{t}{M} \right) = b$

and b is coded as either +1 or −1; v) having B retransmit the bit of cryptovariable b to A encrypted as ${s^{\prime} = {\left( {t^{\prime} + \frac{xa}{t^{\prime}}} \right)\quad {mod}\quad M}},$

where t′ is a different random number modulo M to t such that ${\left( \frac{t^{\prime}}{M} \right) = {\left( \frac{t}{M} \right) = b}};$

vi) having A recover cryptovariable bit b by computing $b = {{\left( \frac{s + {2r}}{M} \right)\quad {or}\quad b} = {\left( \frac{s^{\prime} + {2r}}{M} \right).}}$


3. A method of operating an identity based directoryless key-code cryptographic communication system comprising two users A and B and a universal authority U, involving the generation of a public modulus M, being the product of any two noneven primes P and Q, and the operation of a publicly available secure one-way hash function #, comprising the following steps: i) having U determine the public Modulus M; ii) having U apply the # to A's identity to produce a value a Modulo M such that the Jacobi symbol $\left( \frac{a}{M} \right)$

is +1 and then to calculate the square root modulo M of a, −a or xa where x, which is an additional publicly available system parameter, is an integer which is neither square modulo P nor Q, and to supply a resulting root, r, to A; iii) having U publish whether A has received a root of +a, −a or xa; iv) having B compute a and: (I) if A has received a root of +a: transmit a bit of cryptovariable b to A encrypted as s=(t+a/t)mod M, where t is a random number modulo M such that the Jacobi symbol $\left( \frac{t}{M} \right) = b$

and b is coded as either +1 or −1; (II) if A has received a root of −a: transmit a bit cryptovariable b to A encrypted as s′=(t−a/t) mod M, where t is a random number modulo M such that the Jacobi symbol $\left( \frac{t}{M} \right) = b$

and b is coded as either +1 or −1; (III) if A has received a root of xa: transmit a bit cryptovariable b to A encrypted as ${s^{''} = {\left( {t + \frac{x\quad a}{t}} \right)\quad {mod}\quad M}},$

where t is a random number modulo M such that the Jacobi symbol $\left( \frac{t}{M} \right) = b$

and b is coded as either +1 or −1; vi) having A recover cryptovariable bit b by computing $\begin{matrix} (I) & {b = \left( \frac{s + {2r}}{M} \right)} \\ ({II}) & {b = \left( \frac{s^{\prime} + {2r}}{M} \right)} \\ ({III}) & {b = {\left( \frac{s^{''} + {2r}}{M} \right).}} \end{matrix}$


4. A method of operating an identity based directoryless key-code cryptographic communication system as claimed in claim 1 wherein user A is identified by his email address.
 5. A method of operating an identity based directoryless key-code cryptographic communication system as claimed in claim 1 wherein A's identity includes the date to increase the security of the system.
 6. A method of operating an identity based directoryless key-code cryptographic communication system as claimed in claim 1 wherein the generation of the public modulus is split between a plurality of universal authorities acting in co-operation.
 7. A method of operating an identity based directoryless key-code cryptographic communication system, comprising a message header section encrypted according to the method claimed in claim 1 and the transmission message encrypted using a standard encryption technique, the decryption key to the transmission message being in the header section.
 8. An identity based directoryless key-code cryptographic system comprising a communications channel accessible by an encryption microprocessor and a decryption microprocessor operably coupled to exchange data and operably connectable to the communications channel wherein the microprocessors are programmed to co-operate according to the method claimed in claim
 1. 